Date: Fri, 26 Jan 2018 20:15:03 +0100
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: How to deal with reporters who don't want their bugs fixed?
On Fri, Jan 26, 2018 at 05:48:14PM +0000, Mikhail Utin wrote:
> I 100% agree with Solar's response. We should not limit our freedom to choose how we will handle our intellectual property. That is how I read the original statements below.
Oh, so-called "intellectual property". I'm not thinking in such terms.
What I meant is that projects expecting to receive vulnerability reports
are not to be obliged by some industry standard to impose any specific
rules on the reporters. This does mean that, among other things, those
projects do not have to insist on a maximum embargo time (even though I
advocate that they do), and as a side-effect this might assist someone
probably selfish with monetization of so-called "intellectual property".
Basically, you saw what you wanted to see. Yes, it's kind of there, but
it wasn't in focus.
Alexander